Step by Step Configure Router Vyata 6.5.2

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 26
• The IP address of the remote peer.

• The authentication mode that the peers will use to authenticate one another. The
Vyatta system supports peer authentication by pre-shared secret (pre-shared key, or
PSK), so you must also supply the string that will be used to generate the hashed
key. Digital signatures and X.509 certificates are also supported.
• The IKE group to be used in the connection.
• The ESP group to be used in the connection.
• The IP address on this Vyatta system to use for the tunnel. This IP address must be
pre-configured on the interface enabled for VPN.
• The communicating subnet or host for each end of the tunnel. You can define
multiple tunnels for each VPN peer, and each tunnel can use a different security
policy.
When supplying a preshared secret, keep the following in mind:
A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret,
or key, is a string agreed upon beforehand by both parties as key for authenticating the
session. It is used to generate a hash such that each VPN endpoint can authenticate the
other.
Note that the pre-shared secret, although an ordinary string, is not a “password.” It is
actually used to generate a hashed key to form a “fingerprint” proving the identity of
each endpoint. This means that long complex strings are more secure than short strings.
Choose complex pre-shared secrets and avoid short ones, which can be more easily
compromised by an attack.
The preshared secret is not passed during IKE negotiation. It is configured on both
sides, and must match on both sides.
A pre-shared secret is an example of symmetric cryptography: the key is the same on
both sides. Symmetric encryption algorithms are less computationally intensive than
asymmetric algorithms, and are therefore faster. However, in symmetric cryptography,
the two communicating parties must exchange keys in advance. Doing this securely can
be a problem.
Pre-shared secret and digital signatures are the most common methods of IKE
authentication. Pre-shared secret is an easy and effective way to quickly set up
authentication with little administrative overhead. However, it has several
drawbacks.
• If a pre-shared key is captured and no one is aware of it, the attacker has access to
your network as long as that key is in use.
• Pre-shared secrets are manually configured, so they should be regularly changed.
However, this task is often falls off the list of busy network administrators. Using
pre-shared key values with remote users is equivalent to giviing them a password to
your network.
NOTE You should restrict the use of pre‐shared keys to smaller, low‐risk environments.
VPN 6.5R1 v01 Vyatta

Example 2-4 defines a site-to-site connection to EAST.

• This connection is configured with a single tunnel:
— Tunnel 1 communicates between 192.168.40.0/24 on WEST and
192.168.60.0/24 on EAST, using ESP group ESP-1W.
• WEST uses IP address 192.0.2.1 on eth1.
• EAST uses IP address 192.0.2.33 on eth0.
• The IKE group is IKE-1W
• The authentication mode is pre-shared secret. The pre-shared secret is
“test_key_1”.
To configure this connection, perform the following steps on Vyatta system WEST in
configuration mode.
Example 2‐4 Creating a site‐to‐site connection from WEST to EAST
Step Command
Create the node for EAST and set vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
the authentication mode. authentication mode pre‐shared‐secret
Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer 192.0.2.33
peer for easier editing. [edit vpn ipsec site‐to‐site peer 192.0.2.33]
Provide the string that will be vyatta@WEST# set authentication pre‐shared‐secret test_key_1
used to generate encryption [edit vpn ipsec site‐to‐site peer 192.0.2.33]
keys.
Specify the default ESP group for vyatta@WEST# set default‐esp‐group ESP‐1W
all tunnels. [edit vpn ipsec site‐to‐site peer 192.0.2.33]
Specify the IKE group. vyatta@WEST# set ike‐group IKE‐1W

[edit vpn ipsec site‐to‐site peer 192.0.2.33]
Identify the IP address on this vyatta@WEST# set local‐address 192.0.2.1

Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer 192.0.2.33]
connection.
Create a tunnel configuration, vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24

and provide the local subnet for [edit vpn ipsec site‐to‐site peer 192.0.2.33]
this tunnel.
Provide the remote subnet for vyatta@WEST# set tunnel 1 remote prefix 192.168.60.0/24
the tunnel. [edit vpn ipsec site‐to‐site peer 192.0.2.33]
Return to the top of the vyatta@WEST# top

configuration tree.
Now commit the configuration. vyatta@WEST# commit

Example 2‐4 Creating a site‐to‐site connection from WEST to EAST
View the configuration for vyatta@WEST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. 192.0.2.33 authentication
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
}
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 192.0.2.1
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}
View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

configuration. interface eth1
View Ethernet interface eth1 vyatta@WEST# show interfaces ethernet eth1 address
address configuration. address 192.0.2.1/27
local‐address is set to this
address.
Configure EAST
This section presents the following topics:
• Enabling VPN on EAST
• Configuring an IKE Group on EAST
• Configuring an ESP Group on EAST
• Creating the Connection to WEST
This section presents the following examples:
• Example 2-5 Enabling IPsec VPN on EAST
• Example 2-6 Configuring an IKE group on EAST
• Example 2-7 Configuring an ESP group on EAST
• Example 2-8 Creating a site-to-site connection from EAST to WEST

ENABLING VPN ON EAST

In this section, you enable IPsec VPN on the interfaces that will be used in VPN
connections on Vyatta system EAST. The VPN tunnel in the example configuration
extends from eth1 on WEST through the wide area network to eth0 on EAST. This
means that eth0 on EAST must have VPN enabled. The other interfaces on EAST need
not.
Example 2-5 enables IPsec VPN on eth0 on EAST. To do this, perform the following
steps on EAST in configuration mode.
Example 2‐5 Enabling IPsec VPN on EAST
Step Command
Enable VPN on eth0 on EAST. vyatta@EAST# set vpn ipsec ipsec‐interfaces interface eth0
View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

configuration. Don’t commit yet. > interface eth0
CONFIGURING AN IKE GROUP ON EAST

Example 2-6 creates IKE group IKE-1E on EAST. This IKE group contains two
proposals:
• Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash
algorithm
algorithm
The lifetime of a proposal from this IKE group is set to 3600.
Note that these parameters correspond to those set in IKE-1W on WEST. You must
ensure, in defining proposals, that the encryption ciphers and hash algorithms are such
that the two peers will be able to agree on at least one combination.
To create this IKE group, perform the following steps on EAST in configuration
mode.
Example 2‐6 Configuring an IKE group on EAST
Step Command
Create the configuration node vyatta@EAST# set vpn ipsec ike‐group IKE‐1E proposal 1
for proposal 1 of IKE group
IKE‐1E.
Set the encryption cipher for vyatta@EAST# set vpn ipsec ike‐group IKE‐1E proposal 1
proposal 1. encryption aes256
Set the hash algorithm for vyatta@EAST# set vpn ipsec ike‐group IKE‐1E proposal 1 hash
proposal 1. sha1

Example 2‐6 Configuring an IKE group on EAST
Set the encryption cipher for vyatta@EAST# set vpn ipsec ike‐group IKE‐1E proposal
proposal 2. This also creates 2 encryption aes128
the configuration node for
proposal 2 of IKE group IKE‐1E.
Set the hash algorithm for vyatta@EAST# set vpn ipsec ike‐group IKE‐1E proposal 2 hash
proposal 2. sha1
Set the lifetime for the whole vyatta@EAST# set vpn ipsec ike‐group IKE‐1E lifetime 3600
IKE group.
View the configuration for the vyatta@EAST# show vpn ipsec ike‐group IKE‐1E
IKE group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> proposal 2 {
> encryption aes128
> hash sha1
> }
> lifetime 3600
CONFIGURING AN ESP GROUP ON EAST

Example 2-7 creates ESP group ESP-1E on EAST. This ESP group contains two
proposals:
algorithm
• Proposal 2 uses Triple-DES as the encryption cipher and MD5 as the hash
algorithm
The lifetime of a proposal from this ESP group is set to 1800 seconds.
To create this ESP group, perform the following steps on EAST in configuration
mode.
Example 2‐7 Configuring an ESP group on EAST
Step Command
Create the configuration node vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal 1
for proposal 1 of ESP group
ESP‐1E.
Set the encryption cipher vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal
for proposal 1. 1 encryption aes256

Example 2‐7 Configuring an ESP group on EAST

Set the hash algorithm for vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal 1 hash
proposal 1. sha1
Set the encryption cipher for vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal 2
proposal 2. This also creates the encryption 3des
configuration node for
proposal 2 of ESP group ESP‐1E.
Set the hash algorithm for vyatta@EAST# set vpn ipsec esp‐group ESP‐1E proposal 2 hash
proposal 2. md5
Set the lifetime for the whole vyatta@EAST# set vpn ipsec esp‐group ESP‐1E lifetime 1800
ESP group.
View the configuration for the vyatta@EAST# show vpn ipsec esp‐group ESP‐1E
ESP group. Don’t commit yet. > proposal 1 {
> encryption aes256
> hash sha1
> }
> proposal 2 {
> encryption 3des
> hash md5
> }
> lifetime 1800
CREATING THE CONNECTION TO WEST

Example 2-8 defines a site-to-site connection to WEST. In this example:
• This connection is configured with a single tunnel:
— Tunnel 1 communicates between 192.168.60.0/24 on EAST and
192.168.40.0/24 on WEST, using ESP group ESP-1E.
• EAST uses IP address 192.0.2.33 on eth0.
• WEST uses IP address 192.0.2.1 on eth1.
• The IKE group is IKE-1E.
• The authentication mode is pre-shared secret. The pre-shared secret is
“test_key_1”.
To configure this connection, perform the following steps on EAST in configuration
mode.
Example 2‐8 Creating a site‐to‐site connection from EAST to WEST
Step Command
Create the node for WEST and vyatta@EAST# set vpn ipsec site‐to‐site peer
set the authentication mode 192.0.2.1 authentication mode pre‐shared‐secret

Navigate to the node for the vyatta@EAST# edit vpn ipsec site‐to‐site peer 192.0.2.1
peer for easier editing [edit vpn ipsec site‐to‐site peer 192.0.2.1]
Provide the string that will be vyatta@EAST# set authentication pre‐shared‐secret test_key_1
keys.
Specify the default ESP group for vyatta@EAST# set default‐esp‐group ESP‐1E
Specify the IKE group. vyatta@EAST# set ike‐group IKE‐1E

Identify the IP address on this vyatta@EAST# set local‐address 192.0.2.33

connection.
Create a tunnel configuration, vyatta@EAST# set tunnel 1 local prefix 192.168.60.0/24

this tunnel.
Provide the remote subnet for vyatta@EAST# set tunnel 1 remote prefix 192.168.40.0/24
Return to the top of the vyatta@EAST# top

configuration tree.
Now commit the configuration. vyatta@EAST# commit
View the configuration for the vyatta@EAST# show vpn ipsec site‐to‐site peer 192.0.2.1
site‐to‐site connection. authentication
}
default‐esp‐group ESP‐1E
ike‐group IKE‐1E
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}


View Ethernet interface vyatta@EAST# show interfaces ethernet eth0

eth0 address configuration. address address 192.0.2.33/27
address.
Authenticating with RSA Digital Signatures

• Generate a Digital Signature on WEST
• Generate a Digital Signature on EAST
• Record EAST’s Public Key on WEST
• Modify WEST’s Connection to EAST
• Record WEST’s Public Key on EAST
• Modify EAST’s Connection to WEST
In this set of examples, you modify the VPN connection configured in the previous set of
examples between WEST and EAST (“Configuring a Basic Site-to-Site Connection” on
page 20). The site-to-site connection created in that set of examples used pre-shared keys
for authentication. This set of examples modifies the connection to use RSA digital
signatures for authentication.
Generate a Digital Signature on WEST

In this example, you generate WEST’s digital signature. This signature will have two
parts: a public part (the public key) and a private part (the private key). The public key
will be shared with EAST; the private key will remain secret.
To generate an RSA digital signature for system WEST, perform the following steps in
operational mode.
Example 2‐9 Generating a digital signature on WEST
Step Command
Generate the key. vyatta@WEST> generate vpn rsa‐key
The system warns you that the A local RSA key file already exists and will be overwritten
existing RSA key file will be <CTRL>C to exit: 8
overwritten. You have the
opportunity to exit the key
generation process by pressing
<Ctrl>+c.

Example 2‐9 Generating a digital signature on WEST
The system indicates the Generating rsa‐key to /config/ipsec.d/rsa‐keys/localhost.key

location of the file where the
key will be written.
The system displays the public Your new local RSA key has been generated
portion of the generated key. The public portion of the key is:
By default, this key (including
the private portion of the key) is 0sAQPEOQvukvkv1ofuO8gEKp7IFFZz4lQqMZyVMInoQKUU/T0iKSK/0NSH9
stored in Ldrr8yQUFayzKag6wM7ASXWXKyt0LS1Gn8tJVsjKGaOkFgLREtVJD3pRzoc
/config/ipsec.d/rsa‐keys/ 7DSUOBViCD6f/TloTkPepRUtW1bmYev2H7tajSO0K0
localhost.key rqu+7nlocZI0ppMAyF6CS+Wd5W1JBpVGL+EkKfyEl9RagKxRW82XJbgY4LG
77K2YDN90Wd2GgMY3kf+YJLIzFEt/xRbh2/380FMpdaUYcbY31o/5PedUut
JCK5RMwl+IJGaxrKf1OmCQfzXlkM09ijZx8kzPIlBk
5hulZrbUWjzBJdFcwFAyPM3yCuv3+ndFX00t3ZLfKu+/wX595J
vyatta@WEST>
Generate a Digital Signature on EAST

In this example, you generate EAST’s digital signature. This signature will have two
parts: a public part (the public key) and a private part (the private key). The public key
will be shared with WEST; the private key will remain secret.
To generate an RSA digital signature for system EAST, perform the following steps in
operational mode.
Example 2‐10 Generating a digital signature on EAST
Step Command
Generate the key. vyatta@EAST> generate vpn rsa‐key
The system warns you that the A local RSA key file already exists and will be overwritten
existing RSA key file will be <CTRL>C to exit: 5
overwritten. You have the
opportunity to exit the key
generation process by pressing
<Ctrl>+c.
The system indicates the Generating rsa‐key to /config/ipsec.d/rsa‐keys/localhost.key

location of the file where the
key will be written.

Example 2‐10 Generating a digital signature on EAST

The system displays the public Your new local RSA key has been generated
portion of the generated key. The public portion of the key is:
By default, this key (including
the private portion of the key) is 0sAQOVBIJL+rIkpTuwh8FPeceAF0bhgLr++W51bOAIjFbRDbR8gX3Vlz6wi
stored in UbMgGwQxWlYQiqsCeacicsfZx/amlEn9PkSE4e7tqK/JQo40L5C7gcNM24m
/config/ipsec.d/rsa‐keys/ up1d+0WmN3zLb9Qhmq5q3pNJxEwnVbPPQeIdZMJxnb1+lA8DPC3SIxJM/3a
localhost.key t1/KrwqCAhX3QNFY/zNmOtFogELCeyl4+d54wQljA+3dwFAQ4bboJ7YIDs+
rqORxWd3l3I7IajT/pLrwr5eZ8OA9NtAedbMiCwxyuyUbznxXZ8Z/MAi3xj
L1pjYyWjNNiOij82QJfMOrjoXVCfcPn96ZN+Jqk+KknoVeNDwzpoahFOseJ
REeXzkw3/lkMN9N1
vyatta@EAST>
Record EAST’s Public Key on WEST

In this example, you record the public key you have obtained from EAST. The key is
then saved under a name that you can refer to in site-to-site configuration.
A digital signature can be typed in manually, but digital signatures are lengthy and
difficult to type. It is generally easier to copy the digital signature into the clipboard of
your system and then paste it into the configuration. You do this in a number of ways;
for example:
• Receive the public key from the operator of the VPN peer in an e-mail—perhaps an
e-mail protected by a PGP signature. Copy the key text into your clipboard.
• From an X.509 certificate, provided by a Certificate Agency.
• Connect to the VPN peer directly through a Telnet or SSH control session. View
view the public portion of the key using a show command, select the text, and copy
the key text into your clipboard.
Example 2-11 pastes EAST’s public key into RSA configuration. The name
“EAST-key” is used as the identifier of the key.
Before you begin, copy EAST’s public key into your clipboard.

If you are in operational mode on WEST, enter configuration mode now and perform the
following steps:
Example 2‐11 Record EAST’s public key on WEST
Step Command
Specify a name for EAST’s public vyatta@WEST# set vpn rsa‐keys rsa‐key‐name EAST‐key rsa‐key
key and paste EAST’s public key 0sAQOVBIJL+rIkpTuwh8FPeceAF0bhgLr++W51bOAIjFb
into the configuration. RDbR8gX3Vlz6wiUbMgGwQxWlYQiqsCeacicsfZx/amlEn9PkSE4e7tqK/JQ
o40L5C7gcNM24mup1d+0WmN3zLb9Qhmq5q3pNJxEwnVbPPQeIdZMJxnb1+l
A8DPC3SIxJM/3at1/KrwqCAhX3QNFY/zNmOtFogELCeyl4+d54wQljA+3dw
FAQ4bboJ7YIDs+rqORxWd3l3I7IajT/pLrwr5eZ8OA9NtAedbMiCwxyuyUb
znxXZ8Z/MAi3xjL1pjYyWjNNiOij82QJfMOrjoXVCfcPn96ZN+Jqk+KknoV
eNDwzpoahFOseJREeXzkw3/lkMN9N1
Commit the configuration. vyatta@WEST# commit
View the configuration for RSA vyatta@WEST# show vpn rsa‐keys

keys.
Since you have not changed the rsa‐key‐name EAST‐key {
configuration for the local host’s rsa‐key 0sAQOVBIJL+rIkpTuwh8FPeceAF0bhgLr++
key, it does not display. W51bOAIjFbRDbR8gX3Vlz6wiUbMgGwQxWlYQiqsCeacicsfZx/amlEn9PkS
E4e7tqK/JQo40L5C7gcNM24mup1d+0WmN3zLb9Qhmq5q3pNJxEwnVbPPQeI
dZMJxnb1+lA8DPC3SIxJM/3at1/KrwqCAhX3QNFY/zNmOtFogELCeyl4+d5
4wQljA+3dwFAQ4bboJ7YIDs+rqORxWd3l3I7IajT/pLrwr5eZ8OA9NtAedb
MiCwxyuyUbznxXZ8Z/MAi3xjL1pjYyWjNNiOij82QJfMOrjoXVCfcPn96ZN
+Jqk+KknoVeNDwzpoahFOseJREeXzkw3/lkMN9N1
}
vyatta@WEST#
Modify WEST’s Connection to EAST

Example 2-12 modifies the connection from WEST to EAST to use RSA digital
signatures for authentication. In this example:
• The authentication mode is changed from pre-shared secret to RSA digital
signatures.
• EAST’s public key is specified as the remote key, under the identifier configured in
the previous step (see “Record EAST’s Public Key on WEST” on page 35).
To modify the site-to-site connection to use RSA configuration, perform the
following steps:
Example 2‐12 Configure WEST for RSA authentication
Step Command
Remove the pre‐shared key. vyatta@WEST# delete vpn ipsec site‐to‐site peer
192.0.2.33 authentication pre‐shared‐secret

Example 2‐12 Configure WEST for RSA authentication

Change the authentication vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
mode authentication mode rsa
Provide the identifier for EAST’s vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
digital signature. authentication rsa‐key‐name EAST‐key
View the modified configuration vyatta@WEST# show vpn ipsec site‐to‐site peer 192.0.2.33
for the site‐to‐site connection. authentication {
mode rsa
rsa‐key‐name EAST‐key
}
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}

address.
Record WEST’s Public Key on EAST

Example 2-13 pastes WEST’s public key into RSA configuration. The name
“WEST-key” is used as the identifier of the key.
Before you begin, copy WEST’s public key into your clipboard.

If you are in operational mode on EAST, enter configuration mode now and perform the
following steps:
Example 2‐13 Record WEST’s public key on EAST
Step Command
Specify a name for WEST’s vyatta@EAST# set vpn rsa‐keys rsa‐key‐name WEST‐key rsa‐key
public key and paste WEST’s 0sAQPEOQvukvkv1ofuO8gEKp7IFFZz4lQqMZyVMIno
public key into the QKUU/T0iKSK/0NSH9Ldrr8yQUFayzKag6wM7ASXWXKyt0LS1Gn8tJVsjKGa
configuration. OkFgLREtVJD3pRzoc7DSUOBViCD6f/TloTkPepRUtW1bmYev2H7tajSO0K0
rqu+7nlocZI0ppMAyF6CS+Wd5W1JBpVGL+EkKfyEl9RagKxRW82XJbgY4LG
Commit the configuration. vyatta@EAST# commit
View the configuration for RSA vyatta@EAST# show vpn rsa‐keys

keys.
Since you have not changed the rsa‐key‐name WEST‐key {
configuration for the local host’s rsa‐key 0sAQPEOQvukvkv1ofuO8gEKp7IFFZz4lQqMZy
key, it does not display. VMInoQKUU/T0iKSK/0NSH9Ldrr8yQUFayzKag6wM7ASXWXKyt0LS1Gn8tJV
sjKGaOkFgLREtVJD3pRzoc7DSUOBViCD6f/TloTkPepRUtW1bmYev2H7taj
SO0K0
rqu+7nlocZI0ppMAyF6CS+Wd5W1JBpVGL+EkKfyEl9RagKxRW82XJbgY4LG
}
vyatta@EAST#
Modify EAST’s Connection to WEST

Example 2-14 modifies the connection from EAST to WEST to use RSA digital
signatures for authentication.
In this example:
• The authentication mode is changed from pre-shared secret to RSA digital
signatures.
• WEST’s public key is specified as the remote key, under the identifier configured in
the previous step (see “Record WEST’s Public Key on EAST” on page 37).

To modify the site-to-site connection to use RSA configuration, perform the

following steps:
Example 2‐14 Configure EAST for RSA authentication
Step Command
Remove the pre‐shared key. vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
authentication pre‐shared‐secret
Change the authentication vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
mode authentication mode rsa
Provide the identifier for WEST’s vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
digital signature. authentication rsa‐key‐name WEST‐key
View the modified configuration vyatta@EAST# show vpn ipsec site‐to‐site peer 192.0.2.1
mode rsa
rsa‐key WEST‐key
}
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0 address
address.
Authenticating with X.509 Certificates

• Modify WEST’s Connection to EAST
• Modify EAST’s Connection to WEST

In this set of examples, you modify the VPN connection configured in the basic set of
examples between WEST and EAST (“Configuring a Basic Site-to-Site Connection” on
page 20). The site-to-site connection created in that set of examples used pre-shared keys
for authentication. This set of examples modifies the configuration to use X.509
certificates for authentication.
In general, the procedure for obtaining the files required to authenticate using X.509
certificates is as follows:
1 Generate the private key and a certificate signing request (CSR) (based on the public
key). This can be accomplished using generate vpn x509 key-pair <name> (for
example, generate vpn x509 key-pair west, where west.key is the private key and
west.csr is the certificate signing request file—both created in /config/auth).
2 Send the CSR file (for example, west.csr) to the certificate authority (CA) and
receive back a server certificate (for example, west.crt), the CA certificate (for
example, ca.crt), and potentially, a certificate revocation list (CRL) file. This
procedure varies according to the CA being used.
At this point the configuration can be modified to use these files.
Modify WEST’s Connection to EAST

Example 2-15 modifies the connection from WEST to EAST to use X.509 certificates
for authentication. In this example:
• The authentication mode is changed from pre-shared secret to X.509 certificates.
• The certificate for the peer is identified using its Distinguished Name information.
This is the information prompted for when creating the certificate signing request
(CSR) file on the peer.
• The locations of the CA certificate, the server certificate, and the private key file for
the server are specified.
To modify the site-to-site connection to use X.509 certificate authentication, perform the
following steps:
Example 2‐15 Configure WEST for X.509 certificate authentication
Step Command
Remove the pre‐shared key. vyatta@WEST# delete vpn ipsec site‐to‐site peer 192.0.2.33
Change the authentication vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
mode. authentication mode x509
Specify the ‘distinguished name’ vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
of the certificate for the peer. authentication remote‐id “C=US, ST=CA, O=ABC Company,
CN=east, E=root@abcco.com”

Example 2‐15 Configure WEST for X.509 certificate authentication

Specify the location of the CA vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
certificate. authentication x509 ca‐cert‐file /config/auth/ca.crt
Specify the location of the vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
server certificate. authentication x509 cert‐file /config/auth/west.crt
Specify the location of the vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
server key file. authentication x509 key file /config/auth/west.key
Specify the password for the vyatta@WEST# set vpn ipsec site‐to‐site peer 192.0.2.33
server key file. authentication x509 key password testpwd‐west
View the modified configuration vyatta@WEST# show vpn ipsec site‐to‐site peer 192.0.2.33
mode x509
remote‐id “C=US, ST=CA, O=ABC Company, CN=east,
E=root@abcco.com”
x509 {
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/west.crt
key {
file /config/auth/west.key
password testpwd‐west
}
}
}
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}

address.

Modify EAST’s Connection to WEST

Example 2-16 modifies the connection from EAST to WEST to use X.509 certificates
for authentication.
In this example:
• The authentication mode is changed from pre-shared secret to X.509 certificates.
• The certificate for the peer is identified using its ‘distinguished name’ information.
This is the information prompted for when creating the certificate signing request
(CSR) file.
• The locations of the CA certificate, the server certificate, and the private key file for
the server are specified.
To modify the site-to-site connection to use X.509 certificate authentication, perform the
following steps:
Example 2‐16 Configure EAST for X.509 certificate authentication
Step Command
Remove the pre‐shared key. vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
Change the authentication vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
mode authentication mode x509
Specify the ‘distinguished name’ vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
of the certificate for the peer. authentication remote‐id “C=US, ST=CA, O=ABC Company,
CN=west, E=root@abcco.com”
Specify the location of the CA vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
certificate. authentication x509 ca‐cert‐file /config/auth/ca.crt
Specify the location of the vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
server certificate. authentication x509 cert‐file /config/auth/east.crt
Specify the location of the vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
server key file. authentication x509 key file /config/auth/east.key
Specify the password for the vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
server key file. authentication x509 key password testpwd‐east

Example 2‐16 Configure EAST for X.509 certificate authentication
View the modified configuration vyatta@EAST# show vpn ipsec site‐to‐site peer 192.0.2.1
mode x509
remote‐id “C=US, ST=CA, O=ABC Company,
CN=west, E=root@abcco.com”
x509 {
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/east.crt
key {
file /config/auth/east.key
password testpwd‐east
}
}
}
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0 address
address.
Defining a VPN Connection to a Peer with a Dynamic

IP Address
• Configure WEST
• Configure EAST
This section presents a sample configuration for a connection between WEST and
EAST, where EAST has a dynamic IP address (it is configured as a DHCP client). In this
example:

• EAST has a dynamic IP address from WEST’s point of view.

• WEST retains its fixed IP address.
When you have finished, these systems will be configured as shown in Figure 2-2.
Figure 2‐2 IPsec VPN connection with dynamic IP address
VPN Tunnel
eth0 eth1 eth0 eth1

192.168.40.0/24 192.168.60.0/24
.5 .1 .30 .62 dynamic .8
WEST 192.0.2.0/27 192.0.2.32/27 EAST
Before you begin:

• This example assumes that you have already configured a basic site-to-site
connection using a preshared key between WEST and EAST, as explained in the
section “Configuring a Basic Site-to-Site Connection” on page 20“. Only the
relevant changes to that configuration are presented here.
Configure WEST
Example 2-17 defines configuration changes for a new site-to-site connection to
EAST.
• The main change is the IP address specification of the peer. This is set to 0.0.0.0 to
represent “any” IP address. Because the IP address of the peer is unknown, WEST
will not initiate connections to the peer. It will only receive connections from the
peer.
To configure this connection, perform the following steps on WEST in configuration
mode.
Example 2‐17 Creating a site‐to‐site connection to a peer with a dynamic IP address
Step Command
Delete the previous vyatta@WEST# delete vpn ipsec site‐to‐site peer 192.0.2.33
configuration.
Create the node for EAST and set vyatta@WEST# set vpn ipsec site‐to‐site peer 0.0.0.0
Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer 0.0.0.0
peer for easier editing. [edit vpn ipsec site‐to‐site peer 0.0.0.0]

keys.


connection.

this tunnel.

configuration tree.
View the configuration for the vyatta@WEST# show vpn ipsec site‐to‐site peer 0.0.0.0
site‐to‐site connection. authentication
}
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}


View Ethernet interface vyatta@WEST# show interfaces ethernet eth1

address.
Configure EAST
The connection from EAST to WEST only requires a minor change from that configured
in the section “Configuring a Basic Site-to-Site Connection” on page 20.
• WEST retains its fixed IP, so no modification is required to the remote peer IP
address.
• EAST has a dynamic local IP, so that must change. The dhcp-interface option
specifies the DHCP client interface.
mode.
Example 2‐18 Specify that the local IP is dynamic.
Step Command
Remove the existing vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
local‐address configuration so local‐address
that doesn’t conflict with the [edit]
dhcp‐interface configuration
that will be set.
Specify the DHCP client interface vyatta@EAST# set vpn ipsec site‐to‐site peer 192.0.2.1
to use for the connection. dhcp‐interface eth0
[edit]

View the configuration for vyatta@EAST# show vpn ipsec site‐to‐site peer
the site‐to‐site connection. 192.0.2.1 authentication
}
dhcp‐interface eth0
tunnel 1 {
local {
prefix 192.168.60.0/24
}
remote {
prefix 192.168.40.0/24
}
}

View Ethernet interface eth0 vyatta@EAST# show interfaces ethernet eth0

address configuration. It is set to address dhcp
dhcp which configures it as a
DHCP client. This is the setting
required by dhcp‐interface.
Defining a VPN Connection to a Peer Using Dynamic DNS

• Configure WEST
• Configure EAST
This section presents a sample configuration for a connection between WEST and
EAST, where EAST has a dynamic IP address (it is configured as a DHCP client) and is
configured for dynamic DNS. In this example:
• EAST has a dynamic IP address from WEST’s point of view but WEST can initiate
connections to EAST because EAST’s hostname remains constant even though its
IP address may change.
• WEST retains its fixed IP address.
When you have finished, these systems will be configured as shown in Figure 2-3.

Figure 2‐3 IPsec VPN connection with dynamic IP address and dynamic DNS
VPN Tunnel
hostname:
east.company.com
eth0 eth1 eth0 eth1

192.168.40.0/24 192.168.60.0/24
.5 .1 .30 .62 dynamic .8
WEST 192.0.2.0/27 192.0.2.32/27 EAST
Before you begin:

• This example assumes that you have already configured a basic site-to-site
connection using a preshared key between WEST and EAST, as explained in the
section “Configuring a Basic Site-to-Site Connection” on page 20“. Only the
relevant changes to that configuration are presented here.
Configure WEST
Example 2-19 defines configuration changes for a new site-to-site connection to
EAST.
• The main change is the IP address specification of the peer. This is set to the
hostname for EAST: “east.company.com”. This is the hostname that is configured
on EAST with the dynamic DNS provider. Because the IP address for EAST can be
resolved, WEST can either initiate IPsec connections to, or receive IPsec
connections from EAST.
• The other important change is to configure auto-update so that if EAST’s IP
address changes, the IPsec connection to EAST will be restarted automatically.
To configure this connection, perform the following steps on WEST in configuration
mode.
Example 2‐19 Creating a site‐to‐site connection to a peer with a dynamic IP address and using dynamic
DNS
Step Command
Delete the previous vyatta@WEST# delete vpn ipsec site‐to‐site peer 192.0.2.33
configuration.
Create the node for EAST and set vyatta@WEST# set vpn ipsec site‐to‐site peer east.company.com
Navigate to the node for the vyatta@WEST# edit vpn ipsec site‐to‐site peer
peer for easier editing. east.company.com
[edit vpn ipsec site‐to‐site peer east.company.com]

DNS
used to generate encryption [edit vpn ipsec site‐to‐site peer east.company.com]
keys.
all tunnels. [edit vpn ipsec site‐to‐site peer east.company.com]

[edit vpn ipsec site‐to‐site peer east.company.com]

Vyatta system to be used for this [edit vpn ipsec site‐to‐site peer east.company.com]
connection.

and provide the local subnet for [edit vpn ipsec site‐to‐site peer east.company.com]
this tunnel.
the tunnel. [edit vpn ipsec site‐to‐site peer east.company.com]

configuration tree.
View the configuration for the vyatta@WEST# show vpn ipsec site‐to‐site peer
site‐to‐site connection. east.company.com
authentication
}
tunnel 1 {
local {
prefix 192.168.40.0/24
}
remote {
prefix 192.168.60.0/24
}
}


DNS
View Ethernet interface vyatta@WEST# show interfaces ethernet eth1

address.
Specify that the IPsec vyatta@WEST# set vpn ipsec auto‐update

connection should be refreshed 60 [edit]
every 60 seconds ‐ in case the
peer’s IP address changes. If
this happens the new IP
address will be resolved via the
dynamic DNS service provider.
View the configuration. vyatta@WEST# show vpn ipsec auto‐update

auto‐update 60
Configure EAST
The connection from EAST to WEST only requires a minor change from that configured
in the section “Configuring a Basic Site-to-Site Connection” on page 20.
• WEST retains its fixed IP, so no modification is required to the remote peer IP
address.
• EAST has a dynamic local IP, so that must change. The dhcp-interface option
specifies the DHCP client interface.
• EAST is also configured for dynamic DNS, in this case with service provider
DynDNS. See the “Configuring Dynamic DNS” section in the Vyatta Services
Reference Guide for details on configuring a system for dynamic DNS.
mode.
Step Command
Remove the existing vyatta@EAST# delete vpn ipsec site‐to‐site peer 192.0.2.1
local‐address configuration so local‐address
that doesn’t conflict with the [edit]
dhcp‐interface configuration
that will be set.
Specify the DHCP client interface vyatta@EAST# set vpn ipsec site‐to‐site peer
to use for the connection. 192.0.2.1 dhcp‐interface eth0
[edit]
VPN 6.5R1 v01
Vyatta

Step by Step Configure Router Vyata 6.5.2

Uploaded by

Copyright:

Available Formats

Step by Step Configure Router Vyata 6.5.2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Step by Step Configure Router Vyata 6.5.2

Uploaded by

Copyright:

Available Formats

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Configuration 26

• The IP address of the remote peer.

VPN 6.5R1 v01 Vyatta

Example 2-4 defines a site-to-site connection to EAST.

Specify the IKE group. vyatta@WEST# set ike‐group IKE‐1W

Identify the IP address on this vyatta@WEST# set local‐address 192.0.2.1

Create a tunnel configuration, vyatta@WEST# set tunnel 1 local prefix 192.168.40.0/24

Return to the top of the vyatta@WEST# top

Now commit the configuration. vyatta@WEST# commit

VPN 6.5R1 v01 Vyatta

Example 2‐4 Creating a site‐to‐site connection from WEST to EAST

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

VPN 6.5R1 v01 Vyatta

ENABLING VPN ON EAST

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

CONFIGURING AN IKE GROUP ON EAST

VPN 6.5R1 v01 Vyatta

Example 2‐6 Configuring an IKE group on EAST

CONFIGURING AN ESP GROUP ON EAST

VPN 6.5R1 v01 Vyatta

Example 2‐7 Configuring an ESP group on EAST

CREATING THE CONNECTION TO WEST

VPN 6.5R1 v01 Vyatta

Example 2‐8 Creating a site‐to‐site connection from EAST to WEST

Specify the IKE group. vyatta@EAST# set ike‐group IKE‐1E

Identify the IP address on this vyatta@EAST# set local‐address 192.0.2.33

Create a tunnel configuration, vyatta@EAST# set tunnel 1 local prefix 192.168.60.0/24

Return to the top of the vyatta@EAST# top

Now commit the configuration. vyatta@EAST# commit

View IPsec interface vyatta@EAST# show vpn ipsec ipsec‐interfaces

VPN 6.5R1 v01 Vyatta

Example 2‐8 Creating a site‐to‐site connection from EAST to WEST

View Ethernet interface vyatta@EAST# show interfaces ethernet eth0

Authenticating with RSA Digital Signatures

Generate a Digital Signature on WEST

Generate the key. vyatta@WEST> generate vpn rsa‐key

VPN 6.5R1 v01 Vyatta

Example 2‐9 Generating a digital signature on WEST

The system indicates the Generating rsa‐key to /config/ipsec.d/rsa‐keys/localhost.key

Generate a Digital Signature on EAST

Generate the key. vyatta@EAST> generate vpn rsa‐key

The system indicates the Generating rsa‐key to /config/ipsec.d/rsa‐keys/localhost.key

VPN 6.5R1 v01 Vyatta

Example 2‐10 Generating a digital signature on EAST

Record EAST’s Public Key on WEST

VPN 6.5R1 v01 Vyatta

Commit the configuration. vyatta@WEST# commit

View the configuration for RSA vyatta@WEST# show vpn rsa‐keys

Modify WEST’s Connection to EAST

VPN 6.5R1 v01 Vyatta

Example 2‐12 Configure WEST for RSA authentication

Commit the configuration. vyatta@WEST# commit

View IPsec interface vyatta@WEST# show vpn ipsec ipsec‐interfaces

Record WEST’s Public Key on EAST

VPN 6.5R1 v01 Vyatta

Commit the configuration. vyatta@EAST# commit

View the configuration for RSA vyatta@EAST# show vpn rsa‐keys

Modify EAST’s Connection to WEST

VPN 6.5R1 v01 Vyatta

To modify the site-to-site connection to use RSA configuration, perform the